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(U) Overview 



■ (U) What isTOR? 

■ (S//SI//REL) The TOR Problem 

■ (TS//SI//REL) EGOTISTICALGOAT 

■ (TS//SI//REL) EGOTISTICALGIRAFFE 

■ (U) Future Development 
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■ (U) “The Onion Router” 



■ (U) Enables anonymous internet activity 

° General privacy 
D Non-attribution 

° Circumvention of nation state internet policies 

■ (U) Hundreds of thousands of users 

Dissidents (Iran, China, etc) 

(S//SI//REL) 



(S//SI//REL) Other targets too! 
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(U)What is TOR? 



■ (U)TOR Browser Bundle 

° Portable Firefox 10 ESR (tbb-firefox.exe) 
D Vidalia 
° Polipo 
° TorButton 
□ TOR 

“Idiot-proof” 
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(S//SI//REL)TheTOR Problem 



■ (TS//SI//REL) Fingerprinting TOR 

■ (TS//SI//REL) Exploiting TOR 

■ (TS//SI//REL) Callbacks from TOR 
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(TS//SI//REL) FingerprintingTOR 




Windows XP 


Ubuntu 11.10 


Firefox 10.0.5 ESR? 


Firefox 10.0.7 ESR? 


■ 32-bit Windows 7 


■ 32-bit Windows 7 


■ Firefox/io.o 


■ Fi refox/io.o 


64-bit Mac OS X 


64-bit Windows 7 


Firefox 10.0.4 ESR? 


Firefox 10.0.10 ESR? 


■ 32-bit Windows 7 


■ 32-bit Windows 7 


■ Firefox/io.o 


■ Fi refox/io.o 







■ 32-bit Windows 7 

■ Firefox/io.o 
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(TS//SI//REL) FingerprintingTOR 



(TS//SI//REL) BuildID gives a timestamp for 
when the Firefox release was built 





Year Month Day Hour Min Sec 



(TS//SI//REL) tbb-firefox’ s BuildID: 
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(TS//SI//REL) FingerprintingTOR 



(TS//SI//REL)TorButton cares aboutTOR 
users being indistinguishable from TOR users 




■ (TS//SI//REL) We only care aboutTOR users 
versus non-TOR users 



■ (TS//SI//REL) Thanks toTorButton, it’ s easy! 
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(CF.S.V 



(S//SI//REL)TheTOR Problem 



/ I /"■ I III 



I \ 



V i 0//01// r\i^i_; m lyei pi n i ui ly iur\ 



(TS//SI//REL) Exploiting TOR 
(TS//SI//REL) Callbacks from TOR 
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(TS//SI//REL) Exploiting TOR 



■ (TS//SI//REL) tbb-firefox is barebones 

° Flash is a no-no 

° NoScript addon pre-installed... 

...but not enabled by default! 

° TOR explicitly advises against using any addons or 
extensions other than TorButton and NoScript 

■ (TS//SI//REL) Need a native Firefox exploit 
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(TS//SI//REL) Exploiting TOR 



■ (TS//SI//REL) ERRONEOUSINGENUITY 

° Commonly known as ERIN 
° First native Firefox exploit in a long time 
° Only works against 13.0-16.0.2 

■ (TS//SI//REL) EGOTISTICALGOAT 

Commonly known as EGGO 
Configured for 11.0-16.0.2... 

...but the vulnerability also exists in 10.0! 
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(U) EGOTISTICALGOAT 



(TS//SI//REL)Type confusion vulnerability in 
E4X 




■ (TS//SI//REL) Enables arbitrary read/write 
access to the process memory 



■ (TS//SI//REL) Remote code execution via the 
CTypes module 
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(TS//SI//REL) Exploiting TOR 



■ (TS//SI//REL) Can't distinguish OS until on box 
° That's okay 

■ (TS//SI//REL) Can't distinguish Firefox version 
until on box 

° That's also okay 

■ (TS//SI//REL) Can't distinguish 64-bit from 32- 
bit until on box 

I think you see where this is going 
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(S//SI//REL)TheTOR Problem 





^ i .D/ 1 .Dt 1 1 nnyei pm iui ly iui\ 



■ ^ i o//oi//r\c.i_; cxpiuiui ly i ui\ 

■ (TS//SI//REL) Callbacks from TOR 
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(TS//SI//REL) Callbacks from TOR 



■ (TS//SI//REL) Tests on Firefox 10 ESR worked 

■ (TS//SI//REL) Tests on tbb-firefox did not 

° Gained execution 
□ Didn't receive FINKDIFFERENT 

■ (TS//SI//REL) Defeated by Prefilter Hash! 

Requests EGGI: Hash(tor_exit_ip || sessionjd) 
Requests FIDI: Hash(target_ip || sessionjd) 
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(TS//SI//REL) Callbacks from TOR 



■ (TS//SI//REL) Easy fix 

° Turn off prefilter hashing 
° FUNNELOUT 

■ (TS//SI//REL)OPSEC Concerns 

° Pre-play attacks 
• PSPs 

Adversarial Actors 
Targets worth it? 
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(S//SI//REL)TheTOR Problem 





^ i .D/ 1 .Dt 1 1 nnyei pm iui ly iui\ 



■ ^ i o//oi//r\c.i_; cxpiuiui ly i ui\ 

■ (T5//Si//REL) Cdiibdckb from TOR 





